Attacks on the layer two of the OSI model (VII): 802.1Q

The IEEE 802.1Q protocol is a public specification. It describes the format used by packets going through trunking links. Due to the open nature of the specification, this standard is now accepted by most manufacturers and it's a common way to establish trunks between switches of different vendors. However, it's not the only one. Most manufacturers have their own solutions. For instance, Cisco also uses its own, proprietary protocol ISL (Inter-Switch Link).

When a switch receives a frame, it adds a 802.1Q tag (4 bytes), recomputes the FCS (Frame Check Sequence) and sends the original frame with the modifications to the trunking link. The VID field identifies the VLAN to which the packet belongs. That identifier value can range from 0 to 4096. Theoretically, if we establish a trunking link and the switch supports 802.1Q, we could send packets to different VLANs.
In order to use 802.1Q it's mandatory to establish a trunk. In the previous section we've seen, how we can enable a trunk with DTP and, in addition, specify that the encapsulation will be done using 802.1Q. Let's suppose then, that the trunk link has been established in a corresponding port. The attacks against 802.1Q can be divided into two classes:

• sending 802.1Q frames in order to send them to VLANs which don't belong to the attacker,
• use of double encapsulated 802.1Q frames - this kind of an attack adds two tags to the original frame with the purpose of using the VLAN from the second tag as destination, when the switch removes the first tag.

Let's first try to send double encapsulated 802.1Q frames with Yersinia. On the 802.1Q screen, we fill the fields with default values ([d] key) and go to the editor mode ([e] key). Now let's change the Source MAC value to 66:66:66:66:66:66, then change the VLAN value to 16 and VLAN2 value to 1. Finally, let's exit the editor mode ([return]). Now let's move on to the attack window with [x], and choose attack sending 802.1Q double enc. packet.

Yersinia ICMP Echo Request packet decoded using Ethereal

Ethernet II, Src: 66:66:66:66:66:66, Dst: ff:ff:ff:ff:ff:ff
 Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
 Source: 66:66:66:66:66:66 (66:66:66:66:66:66)
 Type: 802.1Q Virtual LAN (0x8100)
802.1q Virtual LAN
 111. .... .... .... = Priority: 7
 ...0 .... .... .... = CFI: 0
 .... 0000 0001 0000 = ID: 16
 Type: 802.1Q Virtual LAN (0x8100)
802.1q Virtual LAN
 111. .... .... .... = Priority: 7
 ...0 .... .... .... = CFI: 0
 .... 0000 0000 0001 = ID: 1
 Type: IP (0x0800)
Internet Protocol, Src Addr: 10.0.0.1 (10.0.0.1), Dst Addr: 255.255.255.255 (255.255.255.255)
 Protocol: ICMP (0x01)
 Source: 10.0.0.1 (10.0.0.1)
 Destination: 255.255.255.255 (255.255.255.255)
Internet Control Message Protocol
 Type: 8 (Echo (ping) request)
 Checksum: 0xb953 (correct)
 Identifier: 0x0042
 Sequence number: 00:42
 Data (8 bytes)
0000  59 45 52 53 49 4e 49 41                           YERSINIA 

Yersinia uses 802.1Q to send ICMP Echo Request packets with the payload YERSINIA. It is clearly seen, that we've sent a double encapsulated 802.1Q frame - first with VLAN 16 and finally with VLAN 1. This attack only demonstrates, that we can inject traffic to other VLANs (this is called VLAN-hopping). However, more advanced attacks can also be performed, like Man-in-the-Middle.

Alfredo Andrés
David Barroso
S21sec e-crime

Monitoring SCADA network Security

We can agree that SCADA security is the need for the protection of control networks for the operation of critical utilities like energy, oil, gas, transport etc...that are geographically and technically dispersed. Last week I have participated in the NiSSF09 Forum, a specialized Critical Infrastructures (CI) protection forum hosted by NISA, the Israel national agency in charge of the CI protection. There was a closed delegate session for the national agencies dealing with the strategies for CI protection against cyberattacks as well as a open session for the industry that develop technology for this purpose.



The topic was SCADA security and the first thing every presenter talked about was the definition on what we call SCADA security (we will not discuss on what is called a Critical Infrastructure). Firstly I would like to set some root considerations… What we call SCADA security is sometimes controversial. This is because we are used to refer to “SCADA security” when talking about “SCADA network security” and many SCADA equipment vendors claim “our SCADA is very secure”… yes, ok (maybe not so ok) but we are talking about the whole picture, i.e., the SCADA network is the addition of legacy SCADA elements (normally not replaced in 15 years) together with standard ICT elements (changed each 3-5 years).

The open session was divided into 3 sub-themes: security in HMI (Human Machine Interface, the utility operation application), SCADA network security and security in the remote units (RTUs). In the network security session, I heard a very interesting thing pointed: a set of recommendations given by the national agencies for their utilities companies which included :
1) the use of uni-directional links (called data diodes) for the connection between the corporate network and the control network
2) the need of a thoroughly design of critical networks separation and the use of SCADA FWs and
3) the need of monitoring what is really happening related to cybersecurity as well as the need of technical audits in the networks.

We presented the need of security network monitoring in the Critical Infrastructures control networks and the difference between the security monitoring in ICT networks and in SCADA networks, both from the assessment and the monitoring tools perspective, topics on which we are currently involved. Our main considerations were: assessment tools must be non-intrusive and monitoring tools must deal with the lack of events in many SCADA equipment and the change of security requirements when talking about availability and resilience.

And lastly, one thing to be considered, according to the US DHS (Department of Homeland Security) representative: 40% of new industrial equipment sold in 2009 in US is wireless. The reduction of installation costs are boosting the use of wireless technology, security should be a must in that technology… but that is another topic that we will deal with another day.

Daniel Chavarri
S21sec labs

Attacks on the layer two of the OSI model (VI): Dynamic Trunking Protocol

Let's see how an attack is performed on a Catalyst 2950T switch with IOS 12.1(22) EA3. The device is configured with hostname zipi and two VLANs: Office (ports Fa0/10, Fa0/11, Fa0/12 and Fa0/13) and Internet (ports Fa0/20, Fa0/21, Fa0/22 and Fa0/23). The VTP domain has been changed to Yersinia. All other parameters are left as default.

In Yersinia GUI mode, let's choose the DTP protocol screen. If there is DTP in our network, we'll see DTP data in no more than 30 seconds. We can also take a look at the DTP port status from the switch console: our port is Fa0/10 and its status is default.

We need to fill in the bottom fields of the window with default values by pressing [d]. After that, [e] will allow us to modify the Neighbor-ID field and enter the value 666666666666. To finish editing mode, we need to press [return]. Now let's switch to the DTP attack window using [x] and select the enabling trunking attack. The DTP port status will change to TRUNKING and Neighbor address 1 will contain our ID. If, furthermore, we have a look at the VLAN assigned ports as before, we'll see that our port Fa0/10 is no longer in the VLAN list. In the Yersinia's main window we'll see new packets; Yersinia crafted packets are those with Neighbor-ID 666666666666. From now on, we'll be able to carry out attacks against protocols 802.1Q and VTP, and what is more important, we'll be able to behave like just another valid switch, which makes it possible to sniff VLAN traffic (from other VLANs than the one we are connected to).

VLAN assigned ports after the attack
zipi# sh vlan
VLAN Name                          Status    Ports
---- ----------------------------- --------- -------------------------------
1    default                       active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                          Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                          Fa0/9, Fa0/14, Fa0/15, Fa0/16
                                          Fa0/17, Fa0/18, Fa0/19, Fa0/24
                                          Gi0/1, Gi0/2
100 Office                        active    Fa0/11, Fa0/12, Fa0/13
200 Internet                      active    Fa0/20, Fa0/21, Fa0/22, Fa0/23

The only valid countermeasure against DTP attacks is disabling auto-trunking via
the command: switchport mode access. An administrator is then forced to enable
trunking manually (in the switch configuration) to set up every new trunk.


Alfredo Andrés
David Barroso
S21sec e-crime

Attacks on the layer two of the OSI model (V): Dynamic Trunking Protocol

Dynamic Trunking Protocol (DTP) is a proprietary Cisco protocol, which establishes trunks between layer two switches. DTP packets usually have the value 01:00:0C:CC:CC:CC as the destination MAC, and an IEEE 802.3 frame including a 802.2 SNAP header. This protocol is available in most Cisco switches, excluding XL models.

DTP is enabled by default in Cisco devices, ready to negotiate in every switch port. However, it is necessary to know how to negotiate DTP in order to establish a trunk. DTP specification is Cisco proprietary (not public), which makes it more difficult. Therefore, the authors of the article were forced to use reverse engineering of traffic between two switches setting up a trunk in order to find out what the DTP format is.

DTP negotiates both trunk activation and encapsulation type used to send and receive traffic through a given port. The most common encapsulation is IEEE 802.1Q (supported by most Cisco switches). Its specification is a public standard.

On the other hand, ISL can just as well be used, which is a Cisco proprietary protocol supported only by high-end Cisco devices. The main reason for using encapsulation is tagging the packets with their proper VLAN tag. This helps the switches to know where to send the packet.

DTP uses no sender authentication, and, as we already mentioned, it's enabled by default on all ports. The only condition is whether we are able to negotiate DTP. If so, we can have access to other VLANs. In order to learn how to negotiate DTP it's first necessary to know the DTP packet format:

• Domain (32 bytes): ASCII string identical to the configured VTP domain,
• Status (1 byte): shows port status: on, off, desirable or auto; by default: desirable - we can start to negotiate DTP,
• Type (1 byte): encapsulation type supported: ISL, 802.1Q, negotiated (ISL or 802.1Q) or native.
• Neighbor-ID (6 bytes): identifies the device sending the packet; usually: MAC address of the port.

The first step of DTP negotiation in Cisco devices is sending three packets, one per second, showing the trunking status and the encapsulation type required. After that, a DTP packet is sent every 30 seconds. Yersinia implements this behaviour as a thread responsible for the task. On the other hand, it is necessary to control the status of the other device in order to change our status if needed. This is achieved using a loop receiving DTP packets. After a few checks, Yersinia changes its DTP status according to the other device.

DTP port status from the switch console
zipi# sh dtp int Fa0/10
DTP information for FastEthernet0/10:
TOS/TAS/TNS: ACCESS/DESIRABLE/ACCESS
TOT/TAT/TNT: NATIVE/802.1Q/802.1Q
Neighbor address 1: 000000000000
Neighbor address 2: 000000000000

Thanks to the work done with Yersinia, Wireshark added DTP support.

Alfredo Andrés

David Barroso

S21sec e-crime

Attacks on the layer two of the OSI model (IV): Cisco Discovery Protocol

Cisco Discovery Protocol (CDP) is a proprietary Cisco protocol, which allows different Cisco network devices to communicate with one another. However, other vendors might also use CDP if they've bought the technology (for example Hewlett-Packard).

The easiest way to identify a CDP packet is by looking at the following features: an IEEE 802.3 packet with a 802.2 SNAP header and multicast destination MAC 01:00:0C:CC:CC:CC (see Figure 3). A CDP packet always contains interesting information about the properties of the device sending the packet. This information can contain for example:

• device name
• model
• IOS version
• IP address (can contain more than one)
• VTP domain
• capabilities (switch, router, bridge etc).

This data, sent periodically by each Cisco device, can offer very valuable information for later attacks. By default, CDP is enabled in Cisco devices and sends this information every 180 seconds (three minutes).

No authentication is involved when sending and receiving CDP packets. Packet data is sent in clear text. This makes attacks very easy. Additionally, CDP format is explained on the Cisco website (see Inset On the Net). A CDP packet is composed of the following fields:

• Version (1 byte): indicated CDP version, usually one or two
• TTL (1 byte) - Time To Live: CDP packet lifetime
• Checksum (2 bytes): verifies whether the packet is correct
• TLV (variable length) - Type, Length, Value series. This is the field containing the actual data, which is represented by a list of TLV tuples, each tuple with the following format: Type (2 bytes) - data type (for example Device ID, Address, Port ID), Length (2 bytes) - TLV length and Value (variable length) - the actual value (see Table 1 for examples of TLV tuples and Figure 5 for a screenshot of Yersinia showing TLVs for an example packet).

Knowing the format, we can pose as a network device sending a crafted CDP packet. It's also worth knowing, that old Cisco IOS versions have a DoS vulnerability discovered by FX of Phenoelit (see Inset On the Net). If lots of CDP packets with different IDs are sent (trying to behave as different network devices), memory is exhausted in the device. This in turn causes the device to fail and it must be rebooted to work properly. Such an attack can cause a network segment to be disconnected or, if a router is targeted, no access to Internet is possible until the device is rebooted.

If we are connected to a network which contains CDP capable devices, the GUI will quickly show CDP modes of these devices. The first attack related to CDP is based on the above mentioned vulnerability. For that, no additional information is needed.
In the Yersinia GUI in CDP mode press [x] and choose attack flooding CDP table.

Results of a CDP DoS attack
# show cdp neighbours
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
2EEEWWW Gig 0/1 253 yersinia Eth 0
ZCCCUU9 Gig 0/1 250 T S I r yersinia Eth 0
J222FFX Gig 0/1 249 R T yersinia Eth 0
WAAASS6 Gig 0/1 240 R B I r yersinia Eth 0
2IIWWWE Gig 0/1 249 T B H I yersinia Eth 0
K333FFX Gig 0/1 234 R T yersinia Eth 0
TBBBOO7 Gig 0/1 252 B H r yersinia Eth 0
3KKYKYY Gig 0/1 250 R B H yersinia Eth 0
TBBBPP7 Gig 0/1 252 S H I r yersinia Eth 0

Results of a CDP DoS attack - switch log
00:06:08: %SYS-2-MALLOCFAIL: Memory allocation of 224 bytes failed from
0x800118D0, alignment 0
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: I/O Free: 32 Cause: Not enough free memory
-Process= "CDP Protocol", ipl= 0, pid= 26
-Traceback= 801DFC30 801E1DD8 800118D8 80011218 801D932C 801D9318
00:06:08: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:09: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:10: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:11: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:12: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:13: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:14: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:15: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:16: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:17: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:18: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:19: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:20: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:21: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:22: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:23: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:38: %SYS-2-MALLOCFAIL: Memory allocation of 140 bytes failed from 0x801E28BC, alignment 0
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: I/O Free: 32 Cause: Not enough free memory

Yersinia also incorporates another attack, which allows to set up virtual Cisco devices. When a network administrator checks the neighbours in one of the real devices, all the crafted virtual devices will show up on a console. This attack has no negative consequences except annoying the network administrator (who will certainly try to find out what is the new device connected to their network).

The only valid countermeasure against CDP attacks is disabling CDP using the command: no cdp run. The protocol itself has not been enhanced for security.

Alfredo Andrés
David Barroso
S21sec e-crime

Attacks on the layer two of the OSI model (III): Spanning Tree Protocol

Let's have a look at three possible attacks at STP. The first two are Denial of Service (DoS) attacks, which force every device participating in STP to recompute their paths. This causes network instability, because every switch is forced to consume CPU time and memory recomputing the paths. It is also possible for such attacks to cause appearance of network loops. The worst scenario is that the entire network goes down and duplicated packets will be seen everywhere, congesting the network and causing total malfunction.

These attacks are rather simple. They are based on sending thousands of BPDUs (in case of first attack - Configuration BPDUs and in the second case - TCNs) which have their source MAC address (and other fields in a Configuration BPDU, like the Bridge ID) generated randomly. This simulates thousands of new devices connecting to the network and wanting to participate in the protocol. This causes chaos.

The two attacks can be performed using Yersinia and are called: sending conf BPDUs and sending tcn BPDUs (press [x] to choose the attack in GUI mode).

Results of a DoS attack sending Configuration BPDU
01:20:26: STP: VLAN0001 heard root 32768-d1bf.6d60.097b on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-9ac6.0f72.7118 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-85a3.3662.43dc on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-3d84.bc1c.918e on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-b2e2.1a12.dbb4 on Fa0/8

Results of a DoS attack sending TCN BPDU
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8

The third attack consists of trying to acquire the STP root role. A BPDU is first captured, which contains the root ID. Then the attacking system is set up, so that it behaves as another network device which wants to participate in the STP and has a lower ID than the current one. The root ID is decremented by one, so that it doesn't differ much from the real root ID and the network administrator won't be able to notice the change with a simple glimpse.

The main consequence of such attack is network instability. We must remember, that all the members of the network send notifications (TCN) to the root device when they detect a change. Only then the root device sends Configuration BPDU with the change bit set to 1 (Flags field) in order to notify all the members to recompute their paths. If the attack is successful, the new, false root device discards the TCNs sent by switches, so no switch recomputes its path. This, in turn, breaks down the structure of the network.

In order to perform the attack in Yersinia, we must first press [d] to fill the BPDU with default values and then run the attack called Claiming Root Role (press [x] and then choose attack four). The attack is a two-phase attack. First we capture the configuration BPDU to learn the root ID, then we send the new crafted configuration BPDU each hello time seconds.

Results of the Claiming Root Role attack
01:58:48: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/8
01:58:48: supersedes 32769-000e.84d5.2280
01:58:48: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/8, cost 19

The old root ID was 32769-000e.84d5.2280, while the new one is now 32769000e.84d4.2280. If we carefully examine the root ID, we can see that in the fifteenth character there is now a four instead of five. Our virtual device has a lower ID, and is therefore elected to be the STP root ID.

There are more possibilities of STP-based attacks, some of them are implemented in Yersinia. One of them is called Causing Eternal Root Elections - it keeps sending packets with lower and lower IDs, which causes never ending root election and complete network chaos. Another one is called Claiming Root Role with MiTM attack, which is a Man-in-the-Middle-type attack. We can also try Claiming Other Role, which means: trying to behave like just another switch - it's a proof-of-concept attack with no negative consequences.

In order to avoid STP attacks on Cisco devices, an administrator can:

• disable STP where it's not needed,
• use Spanning Tree Portfast BPDU Guard Enhancement and Spanning Tree Protocol Root Guard Enhancement

Alfredo Andrés

David Barroso

S21sec e-crime

Attacks on layer two of the OSI model (II): Spanning Tree Protocol

The purpose of Spanning Tree Protocol (STP) is avoiding network loops when interconnecting network segments. Only one unique path can exist from one device to another. Each STP packet is called BPDU (Bridge Protocol Data Unit), and we can identify it by looking at its format: an IEEE 802.3 packet with a 802.2 header and with destination MAC 01:80:C2:00:00:00.

Two types of BPDU exist: Configuration and Topology Change Notification (TCN). The first one is sent periodically and shows the network configuration, whilst the second one is sent each time a network change is detected (a port is enabled/disabled). More information about STP can be found in IEEE Standard 802.1D.

The main weakness of STP is lack of authentication and control. Every device, every person or attacker can send a BPDU and participate in the protocol. In order to understand the attacks it is necessary to know the format of Configuration BPDU:

• PID (2 bytes): Protocol, always zero
• Version (1 byte): STP version, can be zero (STP), one (RSTP) or three (MSTP)
• Message type (1 byte): BPDU type: configuration (0x00) or TCN (0x80)
• Flags (1 byte): several port settings (useful for RSTP) and a bit for notifying a topology change
• Root ID (8 bytes): root device ID
• Root path cost (4 bytes): cost of the path to the root device
• Bridge ID (8 bytes): BPDU sender ID
• Port ID (2 bytes): port number (IEEE or Cisco STP BPDU) from which the BPDU is sent
• Message age (2 bytes): amount of time which has elapsed since root sent the configuration message on which the current one is based
• Maximum age (2 bytes): when the current configuration message should be deleted
• Hello time (2 bytes): time between sending two configuration BPDUs
• Forward delay (2 bytes): time that bridges should wait before transitioning to a new state after a topology change.

STP can be roughly summarized as: root device election and path computation among all the devices that participate in the spanning tree. In the beginning, every device participates in the root election. The device chosen is the one with the lowest ID.

Once the root has been elected, all the paths are recomputed every time a change in the network takes place. A new root is elected in case the current one disappears or a new device is attached which has a lower ID than the current root device.

Alfredo Andrés

David Barroso

S21sec e-crime

Trojan.Dionizos targets both Firefox and IE users

According to Mozilla they recently count over 270 Million Firefox users now. The fact that Firefox is becoming more and more popular inspires hackers to extend their territory in the hope of doubling their number of victims. Everybody has heard of Trojan.ChromeInject a Trojan that poses as a Firefox plugin in order to harvest logins from about one hundred different banks. We can expect and have to be prepared in the future for more threats and fuss around Firefox. Remember the TODO list of ZeuS? One of the lines on the list dissects interception of Firefox 3+. Statistics also confirm Firefox is at least as popular as Internet Explorer:

Browser Statistics Month by Month
2009	IE7	IE6	IE8	Firefox	Chrome	Safari	Opera
May	21.3%	14.5%	5.2%	47.7%	5.5%	3.0%	2.2%
April	23.2%	15.4%	3.5%	47.1%	4.9%	3.0%	2.2%
March	24.9%	17.0%	1.4%	46.5%	4.2%	3.1%	2.3%
February	25.4%	17.4%	0.8%	46.4%	4.0%	3.0%	2.2%
January	25.7%	18.5%	0.6%	45.5%	3.9%	3.0%	2.3%

Source: http://www.w3schools.com/

Trojan.Dionizos is just yet another banking Trojan that would like to benefit from Firefox users. It installs two malicious DLLs, one for Internet Explorer, and another one for Firefox if it presents on the system. We focus now on the Firefox DLL, the IE DLL is not really something new (installed in the registry as a Browser Helper Object).

If we can believe the TimeStamp, the binary was created at 14:17:21 in 02/09/2008. However its detection rate is still very low, 4 out of 40. See anti-virus scan results:

File name: nsFlash.dll
File size: 45568 bytes
MD5: 0f9c9428abda8836e2d699239640b405

Vendor	Description
a-squared	Trojan-PWS.Dioniz!IK
AntiVir	TR/PSW.Dioniz.45568
McAfee-GW-Edition	Trojan.PSW.Dioniz.45568
Prevx	High Risk Worm

Full scan result here

The Trojan was written in full C++, using the Gecko/XPCOM interface, which concept is very similar to Microsoft's COM/OLE model also favourited by malware authors to create malicious plugins and BHOs for Internet Explorer (Browser Helper Objects). Talking about Firefox, the Trojan attaches itself to the following provided interfaces:

@mozilla.org/XPCOMSystems/UrlParser;1 @mozilla.org/XPCOMSystems/StreamConv;1 @mozilla.org/cookiemanager;1 @mozilla.org/io/string-input-stream;1 @mozilla.org/observer-service;1 @mozilla.org/categorymanager;1 @mozilla.org/streamconv;1

The most important one is the observer-service interface. It notifies the Trojan about various events happening in the browser such like a form submission occurred, an URL just has been opened, etc.

To ensure its survivalence and be able to loaded each time the browser is started, it does the following trick (which seems to be a legit way to register a component indeed). First, the malicious DLL is placed into the directory:

C:\Program Files\Mozilla Firefox\components\nsFlash.dll

After that, the files xpti.dat and compreg.dat are going to be deleted in these two subfolders:

C:\Program Files\Mozilla Firefox\components\ C:\Documents and Settings\[user name]\Datos de programa\Mozilla\Firefox\ Profiles\[random chars].default\

In the last path of the above two, the random characters within the Profiles folder cannot be guessed by the Trojan, so it attempts to do a recursive search.

Deleting these .dat files is harmless, Firefox upon start, regenerates them automatically. And that’s the point how the Trojan achieves to get registered into Firefox. When the browser is launched it does a search for available components and it will recreate the database files (xpti and compreg.dat). The newly generated .dat files will include nsFlash.dll as a registered component. See a snippet from compreg.dat:

File: compreg.dat

Generated File. Do not edit. [HEADER] Version,0,5 [COMPONENTS] rel:nsSafebrowsingApplication.js,1212071050000 rel:nsTryToClose.js,1212071050000 rel:nsBrowserGlue.js,1212071050000 rel:aboutRobots.js,1212071050000 ... rel:nsFlash.dll,1242384082000 ... [CLASSIDS] {bfc310d2-38a0-11d3-8cd3-0060b0fc14a3},,application/x-mozilla-static,,nsLayoutModule ...{1c8cbc42-c647-4fc7-a282-6e618dce8bfc},,application/x-mozilla-native,, rel:nsFlash.dll ...

An interesting fact is that the author made a check for previous infections by a simple evaluation if a given filename already exists. This lets us know what other filenames already are being in use, here is the list:

\components\nsHelp.dll \components\nsHelper.dll \components\ExtensionManager.dll \components\nsSidebar.dll \components\nsDebug.dll \components\nsFlash.dll

The Trojan's workdirectory is System32\spool\, Dionizos stores here its data and configuration files among some printing related legit files which are also stored there by the Operating System. The abused filenames are:

System32\spool\c.ini System32\spool\desktops.ini System32\spool\printer.dat System32\spool\dr.ini

There are four domain names related to this binary, each of them are base64 encoded in the binary:

C&C Servers of Dionizos
Y29uc3RlbGxhdGlvbnMud3M=	constellations.ws
aS1wbGF0Zm9ybS5jbg==	i-platform.cn
bGl2ZWFydHMuY2M=	livearts.cc
YXN0cm8tcGh5c2ljcy5jYw==	astro-physics.cc

During the communication with the C&C server, Dionizos sends a version parameter in the GET/POST messages like &ver=Dionizos_xml. Although we have observed a few more differing versions, but very likely this string was the hint in choosing the Trojan's name Dionizos:

Dionizos versions

Dionizos_xml

Delta-v2s_PG_scrn_XML

v99_3i_pg_XML

Dionizos functionalities are:

• Deactivate Kaspersky anti-virus and Comodo Firewall
• Alter and grab HTTP/HTTPS traffic
• Steal certificates, saved passwords, cookies
• Steal POP3 and Webmail passwords
• Screen capture facility
• Download and execute file
• Kill the OS
• List of processes
• List of services
• List of auto-run applications

Dionizos we are keeping our eyes on you!

Jozsef Gegeny
S21sec e-crime

Playing minesweeper with IIS permissions

Some days ago Microsoft published and advisory about a new vulnerability in IIS. This vulnerability allows bypassing the authentication of Webdav directories. By exploiting this vulnerability an attacker can read files inside those directories, even if they are password protected.

Soon appears an entry in the Microsoft SRD (Security Research & Defense) blog telling the vulnerability only happens under some circumstances and it’s not present in the default configuration. That makes me remember some common situations found at S21sec when we are auditing IIS servers.

In theory the default IIS configuration is secure but a lot of administrators, by need or by curiosity, modify this configuration. And then we enter in a dangerous field. We have to take special care with the configuration of directory permissions. As we can see in this tab:


This is the default situation. But what happens if we check some of the other options that are unchecked:

• Script source access:

If we check this option, we permit the source code of the ASP scripts to be downloaded by using the GET method of HTTP and the infamous “Translate: f” header. For example:


• Write:

With this option we allow the upload of files to the server (if the NTFS permissions also allow it) by using the PUT method of HTTP.


• Directory browsing:

This option allows listing the directory for viewing the files inside by using the PROPFIND method of HTTP. The output is XML, but we can easily see the names of the listed files.


• Index this resource:

This last option also allows to use the SEARCH method of HTTP for listing the directory (the “directory browsing” option must also be checked).


So we end at the following situation:


Resuming, better don’t touch.

Ramon Pinuaga Cascales
Dept. Auditoria S21sec

Attacks on layer two of the OSI model (I)

Layer two of OSI model is one of the weakest links when trying to assure network security in an organization. It is also one of the most commonly ignored, because there aren't many public implementations of layer two attacks. However, a successful attack on layer two can be just as dangerous as any other.

The Data link layer is one of the least secured and most often forgotten elements of networks. It's quite common that administrators simply connect the switches, configure them to work and then never worry about them. Pen-testing often reveals
switches, which use a vulnerable version of IOS and are not hardened in any way. It is also commonly thought, that implementing VLAN in a network keeps malicious attackers away. However, VLAN architecture can just as well be defeated and therefore all higher OS layer attacks such as sniffing passwords, Man-in-the-Middle are possible across VLANs.

The good thing about layer two is the fact, that Data link layer packets can't go through IP networks, for example the Internet. Therefore all attacks are limited to internal networks. But then again, statistics show that attacks from inside can be just as dangerous as the ones from the outside. It must also be remembered, that if an external intruder traverses our firewall and gets to the DMZ, such attacks can allow him to escape the DMZ and target our whole network. Let's see what common Data link layer vulnerabilities are, how can they be exploited by an attacker and what can we do to protect our equipment. All the examples are related to Cisco equipment, but some of them can just as well affect equipment from other vendors. Most of the observations and data have been obtained by the authors via research and development of the Yersinia tool. Sometimes it has been impossible to find references or publicly available code, therefore certain observations are based on behavioural analysis and not on published standards.

What you will learn:

• specifications of OSI layer two protocols: STP, CDP, DTP, IEEE 802.1Q, VTP,
• how to perform attacks against those protocols,
• how to defend your system against those attacks,
• how to use Yersinia, a useful tool for network administrators and pen-testers.

Alfredo Andrés

David Barroso

S21sec e-crime

Analysis of malicious PDF files

As I mentioned before, one of the ways to hide information in a PDF file is trough the encoding/compression of streams, thanks to filters (/Filter parameter), being /FlateDecode the most used. The bad guys have been using it some time ago to hide obfuscated Javascript code with some vulnerable functions (Collab.collectEmailInfo, util.printf, getAnnots, getIcon, spell.customDictionaryOpen), or using heap-spraying to exploit another vulnerability not related with Javascript, like the /JBIG2Decode filter one.

To help in the analysis of these malicious files I've written a mini Python tool, using Spidermonkey to execute the found Javascript code and showing the shellcode to be launched. Automating the execution of obfuscated Javascript code is not a simple issue because there are many ways of doing it and everyday a new one arises, so I've tried to do an approximation to the problem, thanks to the malicious samples that I've seen. In the case the script won't be able to go till the end it's possible to specify the parameter -w to write to disk the Javascript code, helping to carry out a later manual analysis.

In order to execute the script the Spidermonkey library (and Pyrex) is required.

The downloaded file contains the script and a malicious PDF sample with a shellcode that tries to download and execute some malicious code from an URL. The domain doesn't resolve anymore so there's no problem with that. If you execute it with the sample file you should see the following output:



This output has five sections where you can find trigger events (/OpenAction and /AA), suspicious actions (/JS, /Launch, /SubmitForm and /ImportData), vulnerable elements, escaped bytes and URLs, which can be useful to get an idea of the file risk.

It will probably have several bugs or maybe you want to comment on it, so, please, let me know! ;)


pdf-analyzer.zip


Jose Miguel Esparza
S21sec e-crime